SAN FRANCISCO – E-mailers, enjoy the early holiday gift: Spam volume has been cut by more than half because Internet providers pulled the plug on a Web hosting firm that was allegedly helping some of the world’s most dastardly junk e-mail gangs.

The break won’t last long. Garbage e-mail levels are already swelling again, and are expected to return to normal in a matter of days.

‘Tis the season, after all: The holidays are the busiest time of the year for spammers, and criminals are hustling to reconnect with potentially millions of virus-infected PCs that they once used to send spam – which accounts for 90 percent of the world’s e-mail.

Spam fighters scored big last week with the takedown of McColo Corp., a U.S.-based company apparently catering to bulk e-mailers. But the battle against McColo also highlights the difficulty in squashing spam-sending operations. Slapping one down means it just pops up somewhere else.

“It is always a cat-and-mouse game, and we fully expect there will be a countermove,” said Doug Bowers, senior director of anti-abuse engineering for Symantec Corp.

Companies like McColo can be difficult for law enforcement to take down. Authorities have to prove company officials knew crimes were being committed through their servers. Web hosting companies often argue that they don’t monitor how customers use their services.

In this case, security researchers amassed evidence of wrongdoing on their own and confronted McColo’s Internet providers to get the Web hosting service taken down.

McColo, which claims a Delaware mailing address and a data center in Silicon Valley, has been on security researchers’ radars for more than a year. Many spam filters blocked messages coming through McColo’s service.

The FBI declined to comment. However, it appears that spam senders used McColo’s service to send commands to large numbers of PCs they had hijacked.

Having that conduit is critical. Spammers use networks of compromised computers – known as “botnets,” or networks of robot or zombie PCs – to amass enough computing power to send millions of messages a day. The owners of those machines typically don’t know their computers are secretly being used for this purpose. But criminals need a way to communicate with these computers and a Web hosting company willing to look the other way.

McColo representatives didn’t return calls for comment from The Associated Press. McColo’s Web site was no longer working.

A big problem in tracing the Web hosting companies responsible for enabling botnets is that the traffic from infected computers goes through different Internet providers, so the trail goes cold fast.

The case against McColo, first reported by The Washington Post, was built by security researchers over time and detailed in a recent analysis by HostExploit, a group that tracks Internet threats.

McColo was apparently a choke point for the spamming industry. Some of the world’s biggest botnets operated through McColo’s servers, according to security researchers.

Worldwide spam volume was about 153 billion e-mail messages on Nov. 11, the day McColo’s Internet providers yanked its service. In two days, that dropped to 64 billion messages, according to IronPort, a security firm owned by Cisco Systems Inc.

It hasn’t taken long for things to pick up again.

Security firm Sophos PLC reported Sunday that McColo was back online again after scoring service from a Swedish Internet provider. The service was withdrawn after the Internet provider heard from security researchers.

IronPort said Monday that spam volume was climbing, and had reached an estimated 71 billion messages.

Just a few years ago, when spammers lost access to a botnet of infected PCs – because their Internet connection was severed – the operation could be decapitated. Now it’s like cutting off an arm. The criminals can find another Internet provider, and they’ve changed their tactics to get things running again quickly.

One change in strategy includes seeding infected computers under their control with information about the location of other infected computers in that botnet. That means they only need to contact some of them after an outage to touch off a chain reaction to contact all the other infected computers and resurrect the entire army.

“This is a temporary reprieve,” said Nilesh Bhandari, a product manager with IronPort, “and we should enjoy it while we can.”

Join the Conversation

We invite you to use our commenting platform to engage in insightful conversations about issues in our community. Although we do not pre-screen comments, we reserve the right at all times to remove any information or materials that are unlawful, threatening, abusive, libelous, defamatory, obscene, vulgar, pornographic, profane, indecent or otherwise objectionable to us, and to disclose any information necessary to satisfy the law, regulation, or government request. We might permanently block any user who abuses these conditions.

If you see comments that you find offensive, please use the “Flag as Inappropriate” feature by hovering over the right side of the post, and pulling down on the arrow that appears. Or, contact our editors by emailing moderator@scng.com.